SlideShare ist ein Scribd-Unternehmen logo

Android Security & Penetration Testing

Subho Halder
Subho Halder

These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
AndroidManifest.xml Monday, 23 September 13
CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
ANDROID MALWARE Monday, 23 September 13
Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
If you don’t have past relationship with JAVA Monday, 23 September 13
Android Framework for Exploitation Monday, 23 September 13
Let’s Create a Malware ! Monday, 23 September 13
What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
“I am not Afraid” - Eminem Monday, 23 September 13
Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
USE AFE TO AUTOMATE !! Monday, 23 September 13
Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
AFE Internals.py Python Based Plugin Based Architecure Modules Libraries Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
./QUESTIONS subho.halder@gmail.com security@xysec.com http://xysec.com @sunnyrockzzs Monday, 23 September 13
STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13

Empfohlen

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 

Empfohlen

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Android SDK Tutorial | Edureka
Android SDK Tutorial | EdurekaAndroid SDK Tutorial | Edureka
Android SDK Tutorial | EdurekaEdureka!
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 

Weitere ähnliche Inhalte

Was ist angesagt?

Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Internet Security Auditors
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Android SDK Tutorial | Edureka
Android SDK Tutorial | EdurekaAndroid SDK Tutorial | Edureka
Android SDK Tutorial | EdurekaEdureka!
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıAhmet Gürel
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 

Was ist angesagt? (20)

Android Security
Android SecurityAndroid Security
Android Security
 
Android security
Android securityAndroid security
Android security
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
Mobile security
Mobile securityMobile security
Mobile security
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Android Security
Android SecurityAndroid Security
Android Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...Android reverse engineering: understanding third-party applications. OWASP EU...
Android reverse engineering: understanding third-party applications. OWASP EU...
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Android Security
Android SecurityAndroid Security
Android Security
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Android SDK Tutorial | Edureka
Android SDK Tutorial | EdurekaAndroid SDK Tutorial | Edureka
Android SDK Tutorial | Edureka
 
Mobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim DökümanıMobil Pentest Eğitim Dökümanı
Mobil Pentest Eğitim Dökümanı
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 

Andere mochten auch

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session Avinash Sinha
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating systemSalma Begum
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]Ammar WK
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_osbaroqueworksdev
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва it-people
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android Aakash Ugale
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 

Andere mochten auch (20)

Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Android ppt
Android ppt Android ppt
Android ppt
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating system
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Art of Thinking [Re-write]
Art of Thinking [Re-write]Art of Thinking [Re-write]
Art of Thinking [Re-write]
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
Firebase analytics for_android _ i_os
Firebase analytics for_android _ i_osFirebase analytics for_android _ i_os
Firebase analytics for_android _ i_os
 
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва Security in Android Application, Александр Смирнов, RedMadRobot, Москва
Security in Android Application, Александр Смирнов, RedMadRobot, Москва
 
Data Storage In Android
Data Storage In Android Data Storage In Android
Data Storage In Android
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Firebase
FirebaseFirebase
Firebase
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 

Ähnlich wie Android Security & Penetration Testing

Engineering culture
Engineering cultureEngineering culture
Engineering culturePamela Fox
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfdayMatthew Dobson
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensicsINSIGHT FORENSIC
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app developmentGaurav Lochan
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at NetflixRob Spieldenner
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...BeMyApp
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence techniqueGiulio Comi
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareAchim D. Brucker
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 

Ähnlich wie Android Security & Penetration Testing (20)

Engineering culture
Engineering cultureEngineering culture
Engineering culture
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Matt training-html-halfday
Matt training-html-halfdayMatt training-html-halfday
Matt training-html-halfday
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackAn inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Tools/Processes for serious android app development
Tools/Processes for serious android app developmentTools/Processes for serious android app development
Tools/Processes for serious android app development
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Continuous Delivery at Netflix
Continuous Delivery at NetflixContinuous Delivery at Netflix
Continuous Delivery at Netflix
 
Android TCJUG
Android TCJUGAndroid TCJUG
Android TCJUG
 
[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...[Ultracode Munich #4] Short introduction to the new Android build system incl...
[Ultracode Munich #4] Short introduction to the new Android build system incl...
 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence technique
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Usable Security for Developers: A Nightmare
Usable Security for Developers: A NightmareUsable Security for Developers: A Nightmare
Usable Security for Developers: A Nightmare
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
A false digital alibi on mac os x
A false digital alibi on mac os xA false digital alibi on mac os x
A false digital alibi on mac os x
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 

Mehr von Subho Halder

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSubho Halder
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Subho Halder
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserSubho Halder
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 

Mehr von Subho Halder (6)

Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Securing Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest VersionSecuring Mobile Apps - Appfest Version
Securing Mobile Apps - Appfest Version
 
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
Security, Privacy & Convenience – key drivers for mobile adoption from a cons...
 
Android App (Vulner)ability - Teaser
Android App (Vulner)ability - TeaserAndroid App (Vulner)ability - Teaser
Android App (Vulner)ability - Teaser
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 

Kürzlich hochgeladen

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Kürzlich hochgeladen (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Android Security & Penetration Testing

  • 1. ANDROID SECURITY & PENETRATION TESTING Subho Halder @sunnyrockzzs #AFE Monday, 23 September 13
  • 2. ./AboutMe.sh Information Security Researcher Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan. Lead Developer of AFE (Android Framework for Exploitation) Python Lovers Co-founder of XYSEC (http://xysec.com) Have found bug in some famous websites including Google, Apple, Microsoft, Skype, Adobe and many more Monday, 23 September 13
  • 3. Some Companies I have found Vulnerabilities in ..... And many more... Monday, 23 September 13
  • 4. ./Agenda Quick Introduction to Android Internals Android Security Model Android Coding Best Practices Android Malware, Technique, Effectiveness using AFE (Android Framework for Exploitation) Small Social Experiment ! Monday, 23 September 13
  • 5. Android Internals.exe Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS) Application runs through Dalvik VM (Dalvik Virtual Machine) Dalvik VM runs executable files like dex (Dalvik executable) or apk files apk files are zipped content of Resources, Signatures, classes.dex and AndroidManifest.xml file Monday, 23 September 13
  • 6. Android Security Model.txt Application are sandboxed (Runs with different UID and GID) Zygote spawns a new process for each Application Each Application runs with a separate instance of Dalvik VM Special Permissions are provided to access Hardware API’s Permissions are mentioned in AndroidManifest.xml file. Monday, 23 September 13
  • 7. Android Application.apk Just an Archive ! Written mainly in Java and XML Multiple Entry-points, such as Activity, Services, Intents, Content Providers, etc. Monday, 23 September 13
  • 9. CAN THESE PERMISSION BE BYPASSED? Monday, 23 September 13
  • 10. Uploading a sensitive file from SD-Card to Remote Server without any Permission! Read Files from SD-Card Uploads File to Remote Server Upload a file through Browser Permission not Required for READING files from SD Card Opening Browser through INTENT doesn’t requires Permission Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/")); Save theValue in the GET parameter to a file in Server Monday, 23 September 13
  • 11. QUICK-DEMO ( SHOULD I ) ? Monday, 23 September 13
  • 12. Android Coding Best Practices Follow -> http://developer.android.com/guide/practices/index.html Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/ Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks Attend more GDG Talks and other Security Conferences Shoot me a tweet @sunnyrockzzs Monday, 23 September 13
  • 13. AndroidManifest.xml OMG ! Activities, Services, Receivers should not be exported or else you can bypass those activities ! Monday, 23 September 13
  • 14. AndroidManifest.xml OMG ! (Contd.) android:exported= “True” in <provider> will turn into a nightmare ! BTW by default it is “True” if either android:minSdkVersion or android:targetSdkVersion to “16” or lower. For applications that set either of these attributes to “17” or higher, the default is “false”. Monday, 23 September 13
  • 15. AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.) AndroidManifest.xml OMG ! (Contd.)Monday, 23 September 13
  • 17. Android Malware (Common Features) Send SMS to premium Number Subscribe to premium Services Dial Premium number Steal messages, contact list, logs Steal SD-Card files Auto-respond to attackers’s text messages ! Monday, 23 September 13
  • 18. Creating a Malware.vbs Use CONTENT PROVIDERS Make use of CURSORS & SQLITE databases Write JAVA codes like crazy Set up Server component Get frustrated, start from bullet-point one. Monday, 23 September 13
  • 19. If you don’t have past relationship with JAVA Monday, 23 September 13
  • 20. Android Framework for Exploitation Monday, 23 September 13
  • 21. Let’s Create a Malware ! Monday, 23 September 13
  • 22. What about GOOGLE? Presenting GOOGLE Bouncer ! Monday, 23 September 13
  • 23. “I am not Afraid” - Eminem Monday, 23 September 13
  • 24. Faking Legitimate Application? Malware services generally injected in legitimate applications How to do it? legitimate apk Smali/Java Add malicious services/classes RecompileFinal malware Monday, 23 September 13
  • 25. USE AFE TO AUTOMATE !! Monday, 23 September 13
  • 26. Android Framework for Exploitation.py To make your life easier ! Find security vulnerabilities in your device+apps Protect your device against malwares Create automated malwares/botnets + send the data to a python listener Inject malicious services in another applications Use Android Exploits Crypt existing malwares to make them FUD Monday, 23 September 13
  • 27. AFE Perspective.c Offensive Defensive Malware Creation BotNet Automation Crypting Injecting Content Query App Assesment Fuzzing Kernel Assesment Monday, 23 September 13
  • 29. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Monday, 23 September 13
  • 30. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Rebuild + Zipalign Monday, 23 September 13
  • 31. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Modifies the classnames and all its references within files Example: Converts com.example.org to com.omg.lol Monday, 23 September 13
  • 32. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Split variables into two, and append at runtime Example: String a = “hello” Will now become String aa = “hel” String ab = “lo” String a = aa + ab Monday, 23 September 13
  • 33. Let’s Make it FUD Matches the signature with its database Checks the activity, service and other class names checks the names of the variables Checks the control flow graph Add dummy loops to change CFG Example: goto end; start: //everything in this label will execute, only when it is called ........ end: //everything in this label will execute, only when it is called goto start; Monday, 23 September 13
  • 34. Statistics? ? ? ? ? ? ?.xls Earlier Detection: 30/46 Monday, 23 September 13
  • 35. Statistics? ? ? ? ? ? ?.xls Detection after Crypting: 4/46 Monday, 23 September 13
  • 36. OOPS CRYPTING MODULE IS NOT PUBLIC :) Monday, 23 September 13
  • 37. ./Conclusion -h Be safe Don’t download apps from 3rd party markets Turn USB debugging OFF Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation for both Android and iOS Monday, 23 September 13
  • 38. HEY WAIT!! WHERE IS THE SOCIAL EXPERIMENT ? Monday, 23 September 13
  • 40. STILL CURIOUS ?? MEET ME NOW !!! Monday, 23 September 13